Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Jul 2015 09:34:24 +0200
From: Florian Weimer <fweimer@...hat.com>
To: feld@...d.me
CC: oss-security@...ts.openwall.com
Subject: Re: node.js out of band write

On 07/06/2015 01:51 AM, Mark Felder wrote:
> Node has resolved a security vulnerability in their most recent release
> but do not appear to have requested a CVE ID.
> 
> http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/
> 
> Node v0.12.6 (Stable)
> Sat, 04 Jul 2015 02:34:23 UTC - release
> 
> This release of Node.js fixes a bug that triggers an out-of-band write
> in V8's utf-8 decoder. This bug impacts all Buffer to String
> conversions. This is an important security update as this bug can be
> used to cause a denial of service attack.

I have trouble reconciling this description with the fix in this commit:

<https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6>

Upstream v8 lacks this change.  Is it required in Node.js because
Node.js pokes at v8 internals in unsupported ways?

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ